Ticket 5338: Race conditions in key rotation
jaltman at secure-endpoints.com
Mon Jun 23 18:13:31 EDT 2008
Nicolas Williams wrote:
> On Mon, Jun 23, 2008 at 04:09:56PM -0400, Jeffrey Altman wrote:
>> I am going to write a patch to introduce fail over to the master
>> for all tgs requests. I will add it to ticket 5338 and it can
>> then be evaluated for inclusion.
> Note: failover needs to not happen if a master is not defined...
> I know, it seems obvious...
> But also, it may be a good idea to make it optional, or to make failover
> be more of a "try another KDC" option.
> The client's behaviour shouldn't prevent/complicate the possibility of
> having kadmind instances running on all the KDCs nor multi-master
In MIT Kerberos a KDC server running kadmind is not necessarily a
master. The master
notion is only defined if the master_kdc is explicitly configured. If
"master_kdc" is not
defined, then the failover to master functionality is not used.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080623/8a2ad2b0/attachment.bin
More information about the krbdev